Hello community,
here is the log from the commit of package ghc-hackage-security for
openSUSE:Factory checked in at 2016-10-19 13:04:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ghc-hackage-security (Old)
and /work/SRC/openSUSE:Factory/.ghc-hackage-security.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-hackage-security"
Changes:
--------
---
/work/SRC/openSUSE:Factory/ghc-hackage-security/ghc-hackage-security.changes
2016-07-21 08:12:21.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.ghc-hackage-security.new/ghc-hackage-security.changes
2016-10-19 13:04:13.000000000 +0200
@@ -1,0 +2,5 @@
+Fri Sep 16 21:16:02 UTC 2016 - psim...@suse.com
+
+- Update to version 0.5.2.2 with cabal2obs.
+
+-------------------------------------------------------------------
Old:
----
hackage-security-0.5.2.1.tar.gz
New:
----
hackage-security-0.5.2.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ghc-hackage-security.spec ++++++
--- /var/tmp/diff_new_pack.tGvGVl/_old 2016-10-19 13:04:14.000000000 +0200
+++ /var/tmp/diff_new_pack.tGvGVl/_new 2016-10-19 13:04:14.000000000 +0200
@@ -19,15 +19,14 @@
%global pkg_name hackage-security
%bcond_with tests
Name: ghc-%{pkg_name}
-Version: 0.5.2.1
+Version: 0.5.2.2
Release: 0
Summary: Hackage security library
License: BSD-3-Clause
-Group: System/Libraries
+Group: Development/Languages/Other
Url: https://hackage.haskell.org/package/%{pkg_name}
Source0:
https://hackage.haskell.org/package/%{pkg_name}-%{version}/%{pkg_name}-%{version}.tar.gz
BuildRequires: ghc-Cabal-devel
-# Begin cabal-rpm deps:
BuildRequires: ghc-base16-bytestring-devel
BuildRequires: ghc-base64-bytestring-devel
BuildRequires: ghc-bytestring-devel
@@ -56,7 +55,6 @@
BuildRequires: ghc-tasty-quickcheck-devel
BuildRequires: ghc-temporary-devel
%endif
-# End cabal-rpm deps
%description
The hackage security library provides both server and client utilities for
@@ -90,20 +88,14 @@
%prep
%setup -q -n %{pkg_name}-%{version}
-
%build
%ghc_lib_build
-
%install
%ghc_lib_install
-
%check
-%if %{with tests}
-%{cabal} test
-%endif
-
+%cabal_test
%post devel
%ghc_pkg_recache
++++++ hackage-security-0.5.2.1.tar.gz -> hackage-security-0.5.2.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hackage-security-0.5.2.1/ChangeLog.md
new/hackage-security-0.5.2.2/ChangeLog.md
--- old/hackage-security-0.5.2.1/ChangeLog.md 2016-06-07 23:44:49.000000000
+0200
+++ new/hackage-security-0.5.2.2/ChangeLog.md 2016-08-29 00:57:40.000000000
+0200
@@ -1,3 +1,10 @@
+0.5.2.2
+-------
+
+* Fix client in case where server provides MD5 hashes
+ (ignore them, use only SHA256)
+* Fix warnings with GHC 8
+
0.5.2.1
-------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hackage-security-0.5.2.1/hackage-security.cabal
new/hackage-security-0.5.2.2/hackage-security.cabal
--- old/hackage-security-0.5.2.1/hackage-security.cabal 2016-06-07
23:44:49.000000000 +0200
+++ new/hackage-security-0.5.2.2/hackage-security.cabal 2016-08-29
00:57:40.000000000 +0200
@@ -1,5 +1,5 @@
name: hackage-security
-version: 0.5.2.1
+version: 0.5.2.2
synopsis: Hackage security library
description: The hackage security library provides both server and
client utilities for securing the Hackage package server
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Formats.hs
new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Formats.hs
--- old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Formats.hs
2016-06-07 23:44:49.000000000 +0200
+++ new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Formats.hs
2016-08-29 00:57:40.000000000 +0200
@@ -113,4 +113,3 @@
formatsLookup (HFS hf) (FsUn _ ) = hasFormatAbsurd hf
formatsLookup (HFS hf) (FsGz _) = hasFormatAbsurd hf
formatsLookup (HFS hf) (FsUnGz _ a) = formatsLookup hf (FsGz a)
-formatsLookup _ _ = error "inaccessible"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Repository/Local.hs
new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Repository/Local.hs
---
old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Repository/Local.hs
2016-06-07 23:44:49.000000000 +0200
+++
new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Repository/Local.hs
2016-08-29 00:57:40.000000000 +0200
@@ -92,8 +92,6 @@
verifyLocalFile (LocalFile fp) trustedInfo = do
-- Verify the file size before comparing the entire file info
sz <- FileLength <$> getFileSize fp
- if sz /= fileInfoLength
+ if sz /= fileInfoLength (trusted trustedInfo)
then return False
- else knownFileInfoEqual info <$> computeFileInfo fp
- where
- info@FileInfo{..} = trusted trustedInfo
+ else compareTrustedFileInfo (trusted trustedInfo) <$> computeFileInfo fp
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Repository/Remote.hs
new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Repository/Remote.hs
---
old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Repository/Remote.hs
2016-06-07 23:44:49.000000000 +0200
+++
new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Repository/Remote.hs
2016-08-29 00:57:40.000000000 +0200
@@ -652,9 +652,10 @@
verifyRemoteFile :: RemoteTemp typ -> Trusted FileInfo -> IO Bool
verifyRemoteFile remoteTemp trustedInfo = do
sz <- FileLength <$> remoteSize remoteTemp
- if sz /= fileInfoLength
+ if sz /= fileInfoLength (trusted trustedInfo)
then return False
- else withRemoteBS remoteTemp $ knownFileInfoEqual info . fileInfo
+ else withRemoteBS remoteTemp $
+ compareTrustedFileInfo (trusted trustedInfo) . fileInfo
where
remoteSize :: RemoteTemp typ -> IO Int54
remoteSize DownloadedWhole{..} = getFileSize wholeTemp
@@ -679,8 +680,6 @@
, temp
]
- info@FileInfo{..} = trusted trustedInfo
-
{-------------------------------------------------------------------------------
Auxiliary: multiple exit points
-------------------------------------------------------------------------------}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/hackage-security-0.5.2.1/src/Hackage/Security/Client.hs
new/hackage-security-0.5.2.2/src/Hackage/Security/Client.hs
--- old/hackage-security-0.5.2.1/src/Hackage/Security/Client.hs 2016-06-07
23:44:49.000000000 +0200
+++ new/hackage-security-0.5.2.2/src/Hackage/Security/Client.hs 2016-08-29
00:57:40.000000000 +0200
@@ -332,7 +332,13 @@
DontCache -> Nothing
-- | Get all cached info (if any)
-getCachedInfo :: (Applicative m, MonadIO m) => Repository down -> m CachedInfo
+getCachedInfo ::
+#if __GLASGOW_HASKELL__ < 800
+ (Applicative m, MonadIO m)
+#else
+ MonadIO m
+#endif
+ => Repository down -> m CachedInfo
getCachedInfo rep = do
(cachedRoot, cachedKeyEnv) <- readLocalRoot rep
cachedTimestamp <- readLocalFile rep cachedKeyEnv CachedTimestamp
@@ -353,8 +359,10 @@
readCachedJSON rep KeyEnv.empty cachedPath
return (trustLocalFile signedRoot, rootKeys (signed signedRoot))
-readLocalFile :: ( FromJSON ReadJSON_Keys_Layout (Signed a)
- , MonadIO m, Applicative m
+readLocalFile :: ( FromJSON ReadJSON_Keys_Layout (Signed a), MonadIO m
+#if __GLASGOW_HASKELL__ < 800
+ , Applicative m
+#endif
)
=> Repository down -> KeyEnv -> CachedFile -> m (Maybe (Trusted
a))
readLocalFile rep cachedKeyEnv file = do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/hackage-security-0.5.2.1/src/Hackage/Security/TUF/FileInfo.hs
new/hackage-security-0.5.2.2/src/Hackage/Security/TUF/FileInfo.hs
--- old/hackage-security-0.5.2.1/src/Hackage/Security/TUF/FileInfo.hs
2016-06-07 23:44:49.000000000 +0200
+++ new/hackage-security-0.5.2.2/src/Hackage/Security/TUF/FileInfo.hs
2016-08-29 00:57:40.000000000 +0200
@@ -6,6 +6,7 @@
-- * Utility
, fileInfo
, computeFileInfo
+ , compareTrustedFileInfo
, knownFileInfoEqual
, fileInfoSHA256
-- ** Re-exports
@@ -61,6 +62,9 @@
fileInfo bs = FileInfo {
fileInfoLength = FileLength . fromIntegral $ BS.L.length bs
, fileInfoHashes = Map.fromList [
+ -- Note: if you add or change hash functions here and you want to
+ -- make them compulsory then you also need to update
+ -- 'compareTrustedFileInfo' below.
(HashFnSHA256, Hash $ BS.C8.unpack $ Base16.encode $ SHA256.hashlazy
bs)
]
}
@@ -69,11 +73,34 @@
computeFileInfo :: FsRoot root => Path root -> IO FileInfo
computeFileInfo fp = fileInfo <$> readLazyByteString fp
--- | Compare known file info
+-- | Compare the expected trusted file info against the actual file info of a
+-- target file.
--
--- This should be used only when the FileInfo is already known. If we want to
--- compare known FileInfo against a file on disk we should delay until we know
--- have confirmed that the file lengths don't match (see 'verifyFileInfo').
+-- This should be used only when the 'FileInfo' is already known. If we want
+-- to compare known 'FileInfo' against a file on disk we should delay until we
+-- have confirmed that the file lengths match (see 'downloadedVerify').
+--
+compareTrustedFileInfo :: FileInfo -- ^ expected (from trusted TUF files)
+ -> FileInfo -- ^ actual (from 'fileInfo' on target file)
+ -> Bool
+compareTrustedFileInfo expectedInfo actualInfo =
+ -- The expected trusted file info may have hashes for several hash
+ -- functions, including ones we do not care about and do not want to
+ -- check. In particular the file info may have an md5 hash, but this
+ -- is not one that we want to check.
+ --
+ -- Our current policy is to check sha256 only and ignore md5:
+ sameLength expectedInfo actualInfo
+ && sameSHA256 expectedInfo actualInfo
+ where
+ sameLength a b = fileInfoLength a
+ == fileInfoLength b
+
+ sameSHA256 a b = case (fileInfoSHA256 a,
+ fileInfoSHA256 b) of
+ (Just ha, Just hb) -> ha == hb
+ _ -> False
+
knownFileInfoEqual :: FileInfo -> FileInfo -> Bool
knownFileInfoEqual a b = (==) (fileInfoLength a, fileInfoHashes a)
(fileInfoLength b, fileInfoHashes b)
